Point-to-Point on PIX - Page 4

WEBINAR:On-Demand

Learn How a Virtual Networking Approach Can Strengthen the Security of Federal Networks REGISTER >

sysopt Command
The previous commands shown in this example have set up the PPTP tunnel and users. What has not been done is to allow the users access through the firewall. The sysopt connection permit-pptp command allows for all authenticated PPTP clients to traverse the PIX interfaces. The sysopt command is used to change the default security behavior of the PIX Firewall in a number of different ways. There are many forms of this command, each acting slightly differently. Table 4-5 contains a list of the sysopt commands and a description of each of their functions. Each of these commands also has an associated no form of the command, which is used to reverse the behavior associated with the command.

Table 4-5: sysopt Commands

Command

Description

sysopt connection enforcesubnet

Prevents packets with a source address belonging to the destination subnet from traversing an interface. A packet arriving from the outside interface having an IP source address of an inside network is not allowed through the interface.

sysopt connection permit-ipsec

Allows traffic from an established IPSec connection to bypass the normal checking of access lists, conduit commands, and access-group commands. In other words, if an IPSec tunnel has been established, this command means that the traffic will be allowed through the interface on which the tunnel was terminated.

sysopt connection permit-pptp

Allows traffic from an established PPTP connection to bypass conduit and access-group commands and access lists.

sysopt connection tcpmssbytes

Forces TCP proxy connections to have a maximum segment size equal to the number specified by the parameter bytes. The default for bytes is 1380.

sysopt connection timewait

Forces TCP connections to stay in a shortened time-wait state of at least 15 seconds after the completion of a normal TCP session ends.

sysopt ipsec pl-compatible

Enables IPSec packets to bypass both NAT and the ASA features. This also allows incoming IPSec tunnels to terminate on an inside interface. For a tunnel crossing the Internet to terminate on the inside interface, the inside interface must have a routable IP address.

sysopt nodnsalias outbound

Denies outbound DNS A record replies.

sysopt noproxyarpinterface_name

Disables proxy ARPs on the interface specified by interface_name.

sysopt security fragguard

Enables the IP Frag Guard feature, which is designed to prevent IP fragmentation attacks such as LAND.c and teardrop. This works by requiring responsive IP packets to be requested by an internal host before they are accepted and limits the number of IP packets to 100 per second for each internal host.